Denial-of-Service PoC | Writeup | Header with CLFS structures | Imhex pattern for .blf extension# CVE-2023-36900
- About this vulnerability: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-36900.
- [Writeup](https://github.com/RomanRybachek/CVE-2023-36900/blob/main/writeup/eng/writeup_eng.md)
- [Imhex pattern for .blf extension](#imhex-pattern-for-blf-extension)
- [Header with declaration of CLFS structures](https://github.com/RomanRybachek/CVE-2023-36900/blob/main/clfs_structures.h)
- [Denial-of-Service proof of concept](#denial-of-service-proof-of-concept)
## Imhex pattern for blf extension
### Before:
<img src="https://github.com/RomanRybachek/CVE-2023-36900/blob/main/git_resources/blf_before.png" alt="drawing" width="500"/></br>
### After:
<img src="https://github.com/RomanRybachek/CVE-2023-36900/blob/main/git_resources/blf_after.png" alt="drawing" width="500"/></br></br>
The pattern is far from ideal, but it can be useful. [Link](https://github.com/RomanRybachek/CVE-2023-36900/blob/main/imhex_pattern/blf_clfs.hexpat) </br>
### How to use:
```
File->Import->Pattern File
```
## Denial of Service proof of concept
The proof of concept requres [python](https://www.python.org/downloads/windows/) and the [pwntools](https://github.com/Gallopsled/pwntools) module installed.
Because testing has to be done on a specific build of Windows, to prevent Microsoft from updating your OS, it must not be connected to the Internet. Therefore, all dependencies need to be installed offline. [How to install python modules without internet](http://srikanthtechnologies.com/blog/python/installing_libraries_offline.aspx).</br>
To run POC, copy [the folder with POC](https://github.com/RomanRybachek/CVE-2023-36900/tree/main/poc) to target machine and use following command:
```
python launch.py DoS
```
[4.0K] /data/pocs/1356c8fa4f8f5fa097511c81be42efaf4f4bbdca
├── [4.0K] blf
│ ├── [ 32M] can_load_custom_values.blf
│ ├── [ 64K] can_put_any_size.blf
│ ├── [ 64K] can_reach_patched_func.blf
│ ├── [ 64K] can_trigger_vuln.blf
│ └── [ 64K] template.blf
├── [6.5K] clfs_structures.h
├── [4.0K] c_sources
│ ├── [4.0K] create_log_with_container
│ │ ├── [2.9K] create_log_with_container.cpp
│ │ ├── [6.5K] create_log_with_container.vcxproj
│ │ ├── [ 977] create_log_with_container.vcxproj.filters
│ │ └── [ 220] create_log_with_container.vcxproj.user
│ ├── [4.0K] create_stream
│ │ ├── [2.1K] create_stream.cpp
│ │ ├── [6.4K] create_stream.vcxproj
│ │ ├── [ 965] create_stream.vcxproj.filters
│ │ └── [ 165] create_stream.vcxproj.user
│ ├── [2.9K] c_sources.sln
│ ├── [4.0K] open_log
│ │ ├── [3.5K] open_log.cpp
│ │ ├── [6.4K] open_log.vcxproj
│ │ ├── [ 960] open_log.vcxproj.filters
│ │ └── [ 165] open_log.vcxproj.user
│ ├── [4.0K] test
│ │ ├── [2.7K] test.cpp
│ │ ├── [6.4K] test.vcxproj
│ │ ├── [ 956] test.vcxproj.filters
│ │ └── [ 165] test.vcxproj.user
│ └── [4.0K] test_leak
│ ├── [1.5K] test_leak.cpp
│ ├── [6.3K] test_leak.vcxproj
│ ├── [ 961] test_leak.vcxproj.filters
│ └── [ 165] test_leak.vcxproj.user
├── [4.0K] git_resources
│ ├── [117K] blf_after.png
│ ├── [ 55K] blf_before.png
│ ├── [ 96K] ctrl_record_example.png
│ ├── [ 67K] path_to_create_dispatch.png
│ └── [ 96K] rgBlocks_example.png
├── [4.0K] imhex_pattern
│ └── [4.4K] blf_clfs.hexpat
├── [4.0K] poc
│ ├── [280K] create_stream.exe
│ ├── [2.6K] launch.py
│ └── [8.6K] update_crc32.py
├── [1.7K] README.md
└── [4.0K] writeup
├── [4.0K] eng
│ └── [ 11K] writeup_eng.md
├── [4.0K] resources
│ ├── [ 32K] cmp_at_graph.png
│ ├── [144K] cmp.png
│ ├── [ 25K] graph_before_n_after.png
│ ├── [ 26K] little_block_in_decompiler.png
│ └── [136K] little_block_in_disasm.png
└── [4.0K] ru
└── [ 0] writeup_ru.md
14 directories, 44 files